1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/mochitest/bugs/test_generateCRMFRequest.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,142 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>crypto.generateCRMFRequest bugs</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.10 +</head>
1.11 +<body onload="onWindowLoad()">
1.12 +<script class="testbody" type="text/javascript">
1.13 +
1.14 + SimpleTest.waitForExplicitFinish();
1.15 +
1.16 + function onWindowLoad()
1.17 + {
1.18 + // Does it work at all?
1.19 + try {
1.20 + var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",
1.21 + "authenticator", null, "",
1.22 + 512, null, " rsa-ex ",
1.23 + 1024, null, "\r\n\t rsa-sign\t");
1.24 + ok(true, "no exception thrown in generateCRMFRequest");
1.25 + } catch (e) {
1.26 + ok(false, "unexpected exception: " + e);
1.27 + }
1.28 +
1.29 + // bug 849553
1.30 + // This should fail because 8 is too small of a key size.
1.31 + try {
1.32 + var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",
1.33 + "authenticator", null, "",
1.34 + 8, null, "rsa-ex",
1.35 + 1024, null, "rsa-sign");
1.36 + ok(false, "execution should not reach this line");
1.37 + } catch (e) {
1.38 + is(e.toString(), "Error: error:could not generate the key for algorithm rsa-ex", "expected exception");
1.39 + }
1.40 + // This should fail because 65536 is too large of a key size.
1.41 + try {
1.42 + var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",
1.43 + "authenticator", null, "",
1.44 + 65536, null, "rsa-ex",
1.45 + 1024, null, "rsa-sign");
1.46 + ok(false, "execution should not reach this line");
1.47 + } catch (e) {
1.48 + is(e.toString(), "Error: error:could not generate the key for algorithm rsa-ex", "expected exception");
1.49 + }
1.50 +
1.51 + // bug 882865
1.52 + var o200 = document.documentElement;
1.53 + var o1 = crypto;
1.54 + try {
1.55 + o1.generateCRMFRequest("undefined", o200, 'X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X', null, o1, 1404343237, Math.PI, []);
1.56 + ok(false, "execution should not reach this line");
1.57 + } catch (e) {
1.58 + // The 'key generation argument' in this case was an empty array,
1.59 + // which gets interpreted as an empty string.
1.60 + is(e.toString(), "Error: error:invalid key generation argument:", "expected exception");
1.61 + }
1.62 +
1.63 + // Test that an rsa certificate isn't used to generate an ec key.
1.64 + try {
1.65 + var crmfObject = crypto.generateCRMFRequest("CN=a", "a", "a", null, "",
1.66 + 1024, "popcert=MIIBjzCB+aADAgECAgUAnVC3BjANBgkqhkiG9w0BAQUFADAMMQowCAYDVQQDEwFhMB4XDTEzMTEwNjE3NDU1NFoXDTIzMTEwNjE3NDU1NFowDDEKMAgGA1UEAxMBYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3G2mwjE8IGVwv6H1NGZFSKE3UrTsgez2DtNIYb5zdi0P0w9SbmL2GWfveu9DZhRebhVz7QSMPKLagI4aoIzoP5BxRl7a8wR5wbU0z8qXnAvy9p3Ex5oN5vX47TWB7cnItoWpi6A81GSn5X1CFFHhVCEwnQsHuWXrEvLD5hrfdmcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCNo+yLKfAd2NBI5DUpwgHSFBA+59pdNtHY7E2KZjyc9tXN6PHkPp8nScVCtk0g60j4aiiZQm8maPQPLo7Hipgpk83iYqquHRvcJVX4fWJpS/7vX+qTNT0hRiKRhVlI6S4Ttp2J2W6uxy2xxeqC6nBbU98QmDj3UQAY31LyejbecQ==", "ec-dual-use");
1.67 + ok(crmfObject, "generateCRMFRequest succeeded");
1.68 + var request = crmfObject.request;
1.69 + var bytes = atob(request.replace(/\r\n/g, ""));
1.70 +
1.71 + // rsaEncryption oid encoded in the request (as ASN1)
1.72 + var badIdentifier = [ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
1.73 + 0x01, 0x01, 0x01 ];
1.74 + ok(!findIdentifierInString(badIdentifier, bytes),
1.75 + "didn't find bad identifier in request");
1.76 +
1.77 + // secp256r1 encoded in the request (as ASN1) (this is the default for
1.78 + // a "1024-bit" ec key)
1.79 + var goodIdentifier = [ 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03,
1.80 + 0x01, 0x07 ];
1.81 + ok(findIdentifierInString(goodIdentifier, bytes),
1.82 + "found good identifier in request");
1.83 + } catch (e) {
1.84 + ok(false, "unexpected exception: " + e);
1.85 + }
1.86 +
1.87 + // Test that only the first of repeated keygen parameters are used.
1.88 + try {
1.89 + var curveCrmfObject = crypto.generateCRMFRequest("CN=a", "a", "a", null,
1.90 + "", 1024, "curve=secp521r1;curve=nistp384",
1.91 + "ec-dual-use");
1.92 + ok(curveCrmfObject, "generateCRMFRequest succeeded");
1.93 + var curveRequest = curveCrmfObject.request;
1.94 + var curveBytes = atob(curveRequest.replace(/\r\n/g, ""));
1.95 +
1.96 + // nistp384 encoded in the request (as ASN1)
1.97 + var badIdentifier = [ 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22 ];
1.98 + ok(!findIdentifierInString(badIdentifier, curveBytes),
1.99 + "didn't find bad identifier in curve request");
1.100 +
1.101 + // secp512r1 encoded in the request (as ASN1)
1.102 + var goodIdentifier = [ 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23 ];
1.103 + ok(findIdentifierInString(goodIdentifier, curveBytes),
1.104 + "found good identifier in curve request");
1.105 +
1.106 + // The popcert=MII... values are base-64 encodings of self-signed
1.107 + // certificates. The key of the first one is a secp521r1 key, whereas
1.108 + // the second is nistp384.
1.109 + var popcertCrmfObject = crypto.generateCRMFRequest("CN=a", "a", "a",
1.110 + null, "", 1024, "popcert=MIIBjjCB8aADAgECAgUAnVEmVTAJBgcqhkjOPQQBMAwxCjAIBgNVBAMTAWkwHhcNMTMxMTA2MjE1NDUxWhcNMTQwMjA2MjE1NDUxWjAMMQowCAYDVQQDEwFpMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA5juM0J3Od2Ih4s0ZiTkzVkh96J4yO12/L71df3GWy/Ex3LaGcew/EucY5ZITEqNHn22+3pKf3pwL6GJ/zA/foJwBspiE42ITo2BHHXl2Uuf1QK70UH5gzaqf1Cc4lPv3ibOf3EAmHx0a8sdDxRlUN2+V38iYWnMmV1qf4jM15fsYEDMwCQYHKoZIzj0EAQOBjAAwgYgCQgDO34oQkVDNkwtto1OAEbFZgq1xP9aqc+Nt7vnOuEGTISdFXCjlhon7SysTejFhO8d8wG500NrlJEmaie9FJbmWpQJCARcVtnC0K+ilxz307GyuANTaLEd7vBJxTAho8l6xkibNoxY1D9+hcc6ECbK7PCtAaysZoAVx5XhJlsnFdJdDj3wG;popcert=MIIBRDCBy6ADAgECAgUAnVEotzAJBgcqhkjOPQQBMAwxCjAIBgNVBAMTAWkwHhcNMTMxMTA2MjIwMDExWhcNMTQwMjA2MjIwMDExWjAMMQowCAYDVQQDEwFpMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEXjFpZ9bodzikeN4C8p2mVj1Ia1t+8zIndSavQHmxaD3+kvhkt18+P20ZagfBOaVEQZdArZ6KxBeW9oYZqaNpqHLveGlKYi6u9z5FyozAx4MXzyLdfu+bzOLIsryKRnLFMAkGByqGSM49BAEDaQAwZgIxAJDawIJLQ5iZsJVC3vV1YEKsI2aNEicdZ3YTMp/zUy+64Z2/cjyyfa7d5m1xKLDBogIxANHOQoy/7DioCyWNDDzx5QK0M24dOURVWRXsxjAjrg4vDmV/fkVzwpUzIr5fMgXEyQ==", "ec-dual-use");
1.111 + ok(popcertCrmfObject, "generateCRMFRequest succeeded");
1.112 + var popcertRequest = popcertCrmfObject.request;
1.113 + var popcertBytes = atob(popcertRequest.replace(/\r\n/g, ""));
1.114 + ok(!findIdentifierInString(badIdentifier, popcertBytes),
1.115 + "didn't find bad identifier in popcert request");
1.116 +
1.117 + ok(findIdentifierInString(goodIdentifier, popcertBytes),
1.118 + "found good identifier in popcert request");
1.119 + } catch (e) {
1.120 + ok(false, "unexpected exception: " + e);
1.121 + }
1.122 + SimpleTest.finish();
1.123 + }
1.124 +
1.125 + function findIdentifierInString(identifier, str) {
1.126 + var matches = 0;
1.127 + for (var i = 0; i < str.length - identifier.length;
1.128 + i += (matches != 0 ? matches : 1)) {
1.129 + matches = 0;
1.130 + for (var j = 0; j < identifier.length; j++) {
1.131 + if (identifier[j] == str.charCodeAt(i + j)) {
1.132 + matches++;
1.133 + } else {
1.134 + break;
1.135 + }
1.136 + }
1.137 + if (matches == identifier.length) {
1.138 + return true;
1.139 + }
1.140 + }
1.141 + return false;
1.142 + }
1.143 +</script>
1.144 +</body>
1.145 +</html>
